|
|
|
Important Information:
Step |
Description |
|---|---|
1 |
See the Known Limitation VSECPC-1341 in the R80.20.M1 Known Limitations SK. |
2 |
See the R80.20.M1 CloudGuard Controller Administration Guide for a list of supported gateways. |
3 |
When you upgrade a vSEC Controller R80.10 or below to R80.20.M1, these files are overwritten with default values:
Before you begin the upgrade, back up all files you changed in the past. |
4 |
Before you begin the upgrade on a vSEC Controller R80.10 or below, if you have a Cisco APIC server, keep only one URL. After the upgrade, add the other URLs. |
Note - During the upgrade, vSEC Controller R80.10 or below does not communicate with the Data Centers. Therefore, Data Center objects are not updated on the vSEC Controller or the Security Gateways.
In the R80.20.M1 Security Management Server, the CloudGuard Controller is disabled by default.
Note - On the Management Servers in High Availability deployment, perform these steps on both Management Servers.
To enable the CloudGuard Controller on the Management Server:
Step |
Description |
|---|---|
1 |
Connect to the command line on the Management Server. |
2 |
Log in to Gaia Clish, or Expert mode. |
3 |
On a Multi-Domain Server, go to the main MDS context:
|
4 |
Enable the CloudGuard Controller:
The output shows:
|
To disable the CloudGuard Controller on the Management Server:
Step |
Description |
|---|---|
1 |
Connect to the command line on the Management Server. |
2 |
Log in to Gaia Clish, or Expert mode. |
3 |
On a Multi-Domain Server, go to the main MDS context:
|
4 |
Enable the CloudGuard Controller:
Command prompts you:
After you confirm, the output shows:
Note - When you disable CloudGuard Controller, CloudGuard Controller functionality does not work. |
To upgrade the R80 vSEC Controller to R80.20.M1, contact Check Point Support.
Important - After the upgrade is complete, the vSEC Controller is disabled by default. To enable it, connect to the command line on the Management Server and run the vsec on command.
CloudGuard Controller works with these Security Gateways:
Important - To use the CloudGuard Controller with R77.20 and R77.30 Security Gateways (R77.30 gateways with Jumbo Hotfix Accumulator below Take 309), you must install the CloudGuard Controller / vSEC Controller Enforcer Hotfix on those R77.20 and R77.30 Security Gateways. See sk129152.
Install the vSEC Controller Enforcer Hotfix on R77.30 Security Gateways with CPUSE, online or offline.
See sk120464. Go to Installation Instructions > Install Security Gateway and R80 vSEC Controller v2 Enforcer Hotfix.
CPUSE Online installation on R77.30 Security Gateways:
Step |
Description |
|---|---|
1 |
In your web browser, connect to the Gaia Portal on the R77.30 Security Gateway at:
|
2 |
From the left tree, click Upgrades (CPUSE) > Status and Actions. |
3 |
Above the list of all software packages, click Showing Recommended packages and select All. |
4 |
Select the R77.30 vSEC Controller Enforcer Hotfix package. |
5 |
On the toolbar, click More > Verify. |
6 |
Select the R77.30 vSEC Controller Enforcer Hotfix package. |
7 |
On the toolbar, click Install Update. |
8 |
The online installation starts immediately. The Security Gateway reboots when installation is complete. |
CPUSE Offline installation on R77.30 Security Gateways:
Step |
Description |
|---|---|
1 |
Install the latest build of CPUSE Agent from sk92449 on the R77.30 Security Gateway. See Section 3 to find the latest CPUSE build, and Section 4-A to download and import a CPUSE package. |
2 |
In your web browser, connect to the Gaia Portal on the R77.30 Security Gateway at:
|
3 |
From the left tree, click Upgrades (CPUSE) > Status and Actions. |
4 |
Click the Import Package button on the toolbar. The Import Package window opens. |
5 |
Click Browse and go to the CPUSE package (offline TGZ file or exported TAR file) of R77.30 vSEC Controller Enforcer Hotfix. |
6 |
Click Upload. |
7 |
Above the list of all software packages, click Showing Recommended packages and select All. |
8 |
Select the imported CPUSE package. |
9 |
On the toolbar, click More > Verify. |
10 |
Select the imported CPUSE package. |
11 |
On the toolbar, click Install Update. |
12 |
The online installation starts immediately. The Security Gateway reboots when installation is complete. |
To uninstall the Hotfix:
Step |
Description |
|---|---|
1 |
In your web browser, connect to the Gaia Portal on the R77.30 Security Gateway at:
|
2 |
From the left tree, click Upgrades (CPUSE) > Status and Actions. |
3 |
Above the list of all software packages, click Showing Recommended packages and select All. |
4 |
Select the vSEC Controller Hotfix package. |
5 |
On the toolbar, click Uninstall. |
6 |
The Security Gateway reboots when uninstall is complete. |
Use the CLI (Legacy) installation to install the R77.20 vSEC Controller Enforcer Hotfix on R77.20 Security Gateways. See sk120464. Go to Installation Instructions > Install Security Gateway and R80.10 vSEC Controller v1 Enforcer Hotfix.
To install the R77.20 vSEC Controller Enforcer Hotfix with the CLI:
Step |
Description |
|---|---|
1 |
Download the R77.20 vSEC Controller Enforcer Hotfix package. |
2 |
Transfer the package to the R77.20 Security Gateway. |
3 |
Connect to the command line the R77.20 Security Gateway. |
4 |
Log in to the Expert mode. |
5 |
Extract the package:
|
6 |
Install the package:
|
7 |
Follow the instructions on the screen. |
8 |
Reboot the R77.20 Security Gateway. |
To uninstall the Hotfix:
Step |
Description |
|---|---|
1 |
Connect to the command line the R77.20 Security Gateway. |
2 |
Log in to the Expert mode. |
3 |
Uninstall the package:
For the correct file name, see sk111963. |
4 |
Reboot the R77.20 Security Gateway. |
For a Security Gateway to work with Data Center objects:
Step |
Description |
|---|---|
1 |
In SmartConsole, from the left navigation panel, click Gateways & Servers. |
2 |
Open the applicable Security Gateway object. |
3 |
From the left tree, click General Properties. |
4 |
On the Network Security tab, select the Identity Awareness Software Blade. The Identity Awareness Configuration > Methods for Acquiring Identity window opens. Clear the AD Query, if it is not necessary. |
5 |
Select I do not wish to configure an Active Directory at this time. The Identity Awareness Software Blade is activated by default. |
6 |
Click Next > Finish. |
7 |
From the left tree, click Identity Awareness. |
8 |
Select Identity Web API. |
9 |
Click Settings. The Identity Web API Settings window opens. |
10 |
From the Authorized Clients section, add the 127.0.0.1 host object. |
11 |
In the Selected Client Secret, enter a secret word. Press Generate to create the client secret. Click OK. |
12 |
Install the Access Control Policy. |
To work with Data Center objects, you must:
To enable Identity Awareness Software Blade:
Step |
Description |
|---|---|
1 |
In SmartConsole, from the left navigation panel, click Gateways & Servers. |
2 |
Open the applicable Security Gateway object. |
3 |
From the left tree, click General Properties. |
4 |
On the Network Security tab, select the Identity Awareness Software Blade. The Identity Awareness Configuration > Methods for Acquiring Identity window opens. Clear the AD Query, if it is not necessary. |
5 |
Select Terminal Servers > Next. The Identity Awareness Configuration > Integration with Active Directory window opens. |
6 |
Select I do not wish to configure an Active Directory at this time. The Identity Awareness Software Blade is activated by default. |
7 |
Click Next > Finish. |
8 |
Click OK. |
9 |
Install the Access Control Policy. |
To enable the communication between the CloudGuard Controller and the Identity Awareness daemon on the Security Gateway:
Step |
Description |
|---|---|
1 |
Connect to the command line on each applicable Security Gateway. |
2 |
Log in to Gaia Clish, or Expert mode. |
3 |
Enable the Identity Awareness API:
Note: On a VSX Gateway, run the command in the context of each applicable Virtual System. |
